Ineffective SSL
There are lots of coffee shop attacks where apps like Firesheep (see Figure 4-5) can listen in on the wi-fi for users to enter their usernames and passwords to social media sites. So if you’re sending any usernames, passwords, or session tokens, they should always be sent over SSL—you can’t assume that no one is listening.
Figure 4-5 Firesheep
Note
Firesheep only runs on an old version of Firefox 3.x, but there are several sites that provide earlier versions to anyone that wants them, and the Firesheep add-on can still be used.
SSL certs come from a CA, so your users will know that some verification has been done by a third-party ...
Get Bulletproof Android™: Practical Advice for Building Secure Apps now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
